FILE - This Monday, Jan. 30, 2017, file photo shows a sign above the headquarters of Kaspersky Lab in Moscow. On Monday, Oct. 23, 2017, Kaspersky Lab said it will open up its anti-virus software to outside review as it deals with security concerns. The company is making the move a month after the U.S. government barred agencies from using its software. (AP Photo/Pavel Golovkin, File)

Kaspersky to open security code, but will it restore trust?

Kaspersky to open security code, but will it restore trust?

By MATT O'BRIEN

Oct. 23, 2017

https://www.apnews.com/274a475f80104b5c858855ccfc2f2e1d

Link copied!

Moscow-based cybersecurity firm Kaspersky Lab, battered by suspicion of Russian government influence, wants to reassure customers by opening up its software's underlying code for outside review. But security experts and some U.S. politicians say the move is mostly meaningless.

The company has repeatedly denied the allegations and says it's been dragged into the middle of a "geopolitical fight."

Now Kaspersky says it will provide the source code of its software — including software updates and threat-detection rules updates — for independent review and assessment. Outside experts, however, say such a review can only reveal so much, and thus would do little to address concerns of customers and the U.S. government.

"They're trying to salvage their reputation," said Blake Darche, a former NSA worker who is now chief security officer for security firm Area 1. "I don't see how it addresses the allegations against them in any meaningful way."

"This review is a red herring that doesn't address any of the fundamental underlying concerns with Kaspersky products, most significantly, that Russian law enables the Kremlin to monitor data transmissions, including Kaspersky's," U.S. Sen. Jeanne Shaheen, a New Hampshire Democrat and regular Kaspersky critic, said in a statement Monday.

The suspicion has taken a toll on Kaspersky. Shortly after the federal ban, retailers such as Best Buy and Office Depot also stopped selling its consumer security software.

Then news broke in early October that hackers allegedly working for the Kremlin used Kaspersky's software to steal information from a National Security Agency contractor about how the U.S. infiltrates foreign networks and defends against cyberattacks. The company denied involvement.

CEO Eugene Kaspersky said on Twitter on Monday that's he's evaluating contractors who can conduct an independent code review.

By 2020, the company says it plans to open three centers in Europe, Asia and the United States where it says customers, government agencies and concerned organizations will also be able to review its code.

Security researcher Chris Wysopal said he welcomed multiple, independent reviewers, but cautioned that such analyses can provide only a snapshot of how the software works at a given moment in time. Like phone apps and other programs, security software is frequently updated.

"Even with this transparency, there's still a level of trust you have to give the company," said Wysopal, the chief technology officer of Vericode, a part of CA Technologies. "But this is a world we live in. There's a supply chain. We live in a world of dynamic software, constantly updating."